OWASP Zap Tutorial

How to check webapps and websites for common vulnerabilities,
how to fix them and schedule regular scans.

What is OWASP?

OWASP (Open Web Application Security Project) is a nonprofit organization dedicated to improving the security of software. It is a global community of volunteers who work to identify and address vulnerabilities in web applications and related technologies. OWASP provides a variety of resources for software developers, security professionals, and the general public, including a set of best practices for building secure software, a list of the most critical web application security risks, and tools and frameworks for testing and improving the security of web applications. OWASP also hosts conferences, workshops, and other events to bring together experts in the field of web application security and to educate the broader community about best practices for securing web applications.

What is ZAP?

OWASP ZAP (Zed Attack Proxy) is a free and open-source web application security testing tool. It is designed to help developers and security professionals identify and fix vulnerabilities in web applications. OWASP ZAP provides a wide range of features, including the ability to intercept and modify traffic, scan for vulnerabilities, and automate testing. It can be used to test the security of web applications during development, as well as in production. OWASP ZAP is written in Java and is available for Windows, Mac, and Linux. It is one of the tools recommended by OWASP for testing the security of web applications.

Install Zap

To install OWASP ZAP on your computer, follow these steps:

  • Download the latest version of OWASP ZAP from the project's website: https://www.zaproxy.org/download
  • Select the appropriate installer for your operating system (Windows, Mac, or Linux)
  • Run the installer and follow the prompts to install OWASP ZAP on your computer
  • Once the installation is complete, you can launch OWASP ZAP from the Start menu (Windows), the Applications folder (Mac), or the command line (Linux)

Note: You may need to have Java installed on your system in order to run OWASP ZAP. If you don't have Java installed, you can download it from the Oracle website: https://www.oracle.com/java/technologies/javase-downloads.html. Alternatively, you can also run OWASP ZAP as a Docker container. To do this, you will need to have Docker installed on your system. You can then use the following command to pull the latest version of OWASP ZAP from the Docker repository and run it as a container:

docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true

This will run OWASP ZAP in the background and expose the API on port 8090. You can then access OWASP ZAP using a web browser by going to http://localhost:8080.

Run a passive scan

To run a passive scan using OWASP ZAP, follow these steps:

  • Open OWASP ZAP
  • From the Quick Start Tab, enter the URL of the web application that you want to scan in the "URL to attack" field
  • Click "Attack"

OWASP ZAP will now start a passive scan of the web application. This means that it will analyze the traffic between the client and the server, but it will not actively try to find vulnerabilities by sending requests to the server. The scan will take a while to complete, depending on the size of the web application. While the scan is running, you can view the progress in the "Scan Progress" tab. When the scan is complete, you can view the results in the "Alerts" tab. The results will show any potential vulnerabilities that were identified by the scan, along with the severity of each vulnerability. Note: A passive scan is a good starting point for testing the security of a web application, but it may not find all vulnerabilities. To get a more comprehensive view of the security of the web application, you should also run an active scan.

Hosted ZAP with Scheduled Scans and Email Alerts

Try our Hosted ZAP scanner to perform a passive scan within minutes with nothing to install. The free plan includes up to two sites on a daily scheduled scan with summarized results sent to your email. Click here to get started.